Privacy Regulation: Symmetry or Asymmetry?

Last week, the five associations representing virtually all wireline and (non-WISP) mobile ISPs submitted a joint proposal to the Federal Communications Commission (FCC) on how to address the implications of applying Section 222 to broadband Internet access in the wake of the FCC’s ill-advised 2015 Title II Order. As the filing explains, ISPs do not currently live in a “regulatory-free zone” when it comes to privacy, nor are we asking to live in one in the future. Prior to the FCC’s Order, wireline and mobile ISPs provided service in accordance with the Federal Trade Commission’s (FTC’s) privacy regime (which prohibits deceptive and unfair trade practices). That regime also governed – and will continue to govern – the privacy practices of search providers, OS providers, browsers, apps, email providers and other tech companies who operate in the Internet ecosystem whether they collect and use customer data to provide services or to monetize that customer data through advertising.

Under that regime, all major ISPs have enacted privacy policies which explain to consumers the information that ISPs collect and how that data is used. At AT&T, we’ve continued to simplify our policy, including several years ago when we went to a single comprehensive privacy policy that describes plainly and simply the information we collect, how we collect it and how we use it. I served several years as AT&T’s Chief Privacy Officer (until I was succeeded by Lori Fink, our current Chief Privacy Officer, last July) and can tell you first hand that we take customer privacy and how we communicate our polices to our customers seriously.

The FTC privacy regime presented a uniform approach to privacy that focused on customer transparency, disclosure and customer choice. In fact, after the EU courts vacated the safe harbor provisions that had been in place governing data transfers between the U.S. and Europe, the U.S. Government went to great lengths to highlight to their EU counterparts that privacy enforcement by the FTC was equal to or stronger than privacy enforcement in Europe. As privacy oversight for ISPs transfers from the FTC to the FCC as a direct result of the Title II Order, AT&T has and will continue to advocate for a framework that is based on the FTC approach.

Some groups, however, have argued that in fact the FCC needs to go much further than the current FTC framework in its treatment of ISPs. To get there, those groups have characterized ISPs as “gatekeepers,” asserted that ISPs (as opposed to companies like Google) are the real leaders of targeted advertising and, finally, argued that the Federal Trade Commission is, in essence, incompetent at policing privacy given the tools they have available. With all due respect to those groups, their arguments are just not borne out by the facts.

First, with respect to the claims that ISPs are somehow uniquely positioned in the Internet ecosystem, I recommend that you read the recent paper written by Peter Swire entitled Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less Than Access by Others. In his paper, Professor Swire details the different technologies and services utilized by different participants in the Internet ecosystem to turn consumer Internet activity into profiles that feed the large Internet companies, like Google’s, advertising engines. It is not a policy paper in the sense that Prof. Swire is advocating an outcome, but rather a factual analysis of how the Internet works and how the various platforms that operate in the Internet ecosystem collect and combine user data, mostly to serve ads. No matter which side of the debate you fall on, the paper is really a fascinating study. It does not stand for the proposition that ISPs don’t have access to data, as some commenters have mischaracterized it. On the contrary, the ISPs main business is to facilitate communications and that means we do have access to some data. What Prof. Swire’s paper does stand for, however, is the proposition that the data to which ISPs have access is more limited (and shrinking with the growing implementation of technologies like encryption and VPNs) than the other companies operating in the Internet.

Prof. Swire also explains how consumers’ online data is widely shared among a wide range of companies on the Internet. The same types of consumer data that are visible to ISPs are collected and used by a wide variety of “edge providers,” such as web browsers, search engines, operating systems and social networks. Given the realities of this complex market, there is no basis for treating ISP data as somehow “proprietary” or subjecting ISPs to unique privacy requirements. Consumers expect and deserve consistent privacy protections for their online data, regardless of which company is collecting it and the technology used to collect it.

With respect to their assertions about the competency of the FTC, I’ll let the FTC defend itself but I would note that the FTC, to my own eyes, has been an active and aggressive regulator enforcing consumer protections in enforcement actions versus the likes of Google, Facebook, Snapchat and a host of other companies.

All of this, of course, begs the question: What will the FCC do in the Broadband Privacy rulemaking that will be voted in three weeks? I don’t have a crystal ball, but Monday’s consent decree with Verizon is a bad omen. Verizon consented to certain conditions related to its use of a unique identifier used to deliver targeted advertising to consumers. I don’t have access to the ins and outs of that case, but I note the use of unique identifiers is not limited to companies like Verizon. In fact, both Apple and Google, providers of the two largest mobile operating systems today, utilize “advertising ids” to facilitate delivery of ads within apps operating on their operating systems.

While both companies permit a consumer to opt out of receiving targeted advertising, neither permits a consumer to “opt-out” from displaying the identifier itself, yet that is what the FCC required Verizon to do as part of its consent decree, even though Verizon is only using the identifier internally. The FCC went further and required “opt in” to share the identifier with third parties for targeted advertising, similar to what Google and Apple are currently doing. However, the consent decree contained no analyses whatsoever that explains the differences between the platforms or the justification for the more strict approach for Verizon’s use of an identifier.

In the 1980’s telecommunications industry, when companies were required by law to stay in their lanes, it might have made sense to have rules that applied only to one set of providers in an industry. But that was 30+ years ago, and we are long past that stage in U.S. communications policy. An example: in 2009, the world’s leading text message providers were mobile phone companies; in 2015, WhatsApp was sending 10 billion more text messages per day than the entire mobile SMS ecosystem in total. Limiting ISPs’ ability to compete with ad supported business models – which are overwhelmingly favored by consumers – is bad for consumers and ultimately bad for broadband investment in this country.

But time and time again, the FCC appears to want to place its thumb on the scale in favor of Internet companies and against the companies that invest in broadband infrastructure in this country. Last year, it was the Title II proceeding. Last month, we were talking about set-top boxes, this month it’s privacy, next month it could be special access. I really hope I am wrong and reading too much into the Verizon consent decree. Asymmetric regulation which favors some competitors and disfavors others with no rational justification in law or policy distorts the marketplace and ultimately harms consumers. But hey, as I have said before, I am not a rocket scientist. Maybe the FCC will surprise me.

Comments

Comment Moderation Policy

AT&T pre-moderates comments on our blog before they are published. This means there will be a delay between the time a comment is submitted and it appears on the post. Profanity or topics that are not germane to the post will not be approved for posting. If you wish to communicate with AT&T regarding customer service, please call 1-800-331-0500 or reach out on Twitter at @ATTCares.